CM 
< 

iO 

in 

(O 

CNJ 

o> 



(19) 





(12) 



EuropSisches Patentamt 
European Patent Office 
Off ice europten des lirevets (11) 

EUROPEAN PATEr«rr APPLICATION 




Appl.No. 10/050,046 
Doc. Ref. AA3 



EP 0 924 656 A2 



(43) Date of publication: 

23.06.1999 Bulletin 1999/25 

(21) Application number: 981^3023.8 

(22) Date of filing: 07.12.1998 



(51) Int. Cl.^: G07C 9/00 



(84) Designated Contracting States: 


• Ling, James M. 


AT BE CH CY DE DK ES H PR GB GR IE IT LI LU 


Great Falls, VA 22066 (US) 


MCNLPTSE 


• Messenger, Arthur F. 


Designated Extension States: 


Redondo Beach, CA 90278 (US) 


ALLTLVMKROSI 


• Evans, Bruce W. 




Redondo Beach, CA 90277 (US) 


(30) Priority: 22.12.1997 US 995267 




(74) Representative: 


(71) Applicant: TRW Inc. 


Schmidt, Steffen J., DIpl.-lng. 


Reddndo Beach, California 90278 (US) 


WuesthoH & Wuesthoff , 




Patent- und Rechtsanwdlte, 


(72) inventors: 


Schweigerstrasse 2 


• Hsu, Shi-Ping 


81541 MOnchen (DE) 


Pasadena, CA 91 1 07 (US) 





(54) Personal Identification FOB 

(57) Apparatus, and a method for its use. for auto- 
matically verifying the identity of a person seeking 
access to a protected property, such as a car, room, 
building or automatic teller machine. The apparatus, 
which Is disclosed in the form of a handheld fob (14), 
includes a sensor (16) for reading biometric data, such 
as a fingerprint image, from the person (12), and a cor- 
relator (28) for conrparing the sensed data with a previ- 
ously stored reference image (32) and for determining 
whether there is a match. If there is a match, the fob 
(14) Initiates an exchange of signals with the "door" (10) 
that protects the property. Specifically, the fob (14) gen- 
erates a numerical value, such as a cyclic redundancy 
code, from the stored reference image (32), encrypts 
the numerical value, and transmits it to the door (10) as 
confirmation of the person's identity. For further security, 
the person (12) registers this numerical value at each 
door (10) to which access is desired. Upon receipt of 
identity confirmation from the Ibb (14), the door (10) 
conrpares the received numerical value with the one 
stored during registration, before granting access. 
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Description 

BACKGROUND OF THE INVENTION 

[0001 ] The present invention relates generally to per- s 
sonal identification or verification systems and, more 
particularly, to systems that automatically verify a per- 
son's identity before granting access to something of 
value. Traditionally, keys and locks, or combination 
locks, have been used to limit access to property, on the 10 
theory that only persons with a right to access the prop- 
erty will have the required key or combination. This tra- 
ditional approach is. of course, still widely used to limit 
access to a variety of enclosed spaces, including 
rooms, buildings, autonrK)biles and safe deposit boxes in is 
banks. In recent years, mechanical locks have been 
supplanted by electronic ones actuated by encoded 
plastic cards, as used, for example, for access to hotel 
room doors, or to bank automatic teller machines 
(ATMs). In the latter case, the user of the plastic card as 20 
a "key" to a bank account must also supply a personal 
identification number (PIN) before access is granted. 
[0002] Many automobiles are protected both by locks 
and by intrusbn alarms, which are typically activated 
and deactivated using a small radio or infrared transn^t- 2s 
ter carried by the car owner as a key-chain fob. Altiiough 
this type of device is convenient, its loss by the owner 
may render tiie vehicle just as vulnerable to theft as if 
mechanical keys had been used for protection. 
[0003] Today, a person still needs to carry a variety of so 
keys for access to home, wakplace and car, and an 
ever expanding stack of plastic cards for access to 
financial assets, such as bank accounts and store 
charge accounts. Today's busy person must memorize 
several passwords and PINs for use in conjunction with 35 
the plastic cards, and for use to access computer soft- 
ware tiiat may or may not require an access card as 
well. Moreover, all of tiie foregoing devices for limiting 
access are subject to tiieft, duplication and misuse. 
Assets protected by mechanical keys are the most vul- 40 
nerable, of course, txjt assets protected by combina- 
tions, passwords and PINs are also subject to illegal 
entry by unauthorized users who have stolen, deduced 
or guessed the appropriate combination, password or 

PIN. 45 

[0004] Accordingly, there is a widely felt need for a 
more reliable technique for limiting access to personal 
property and other valuable assets. Ideally, tiie tech- 
nique should positively verify the identity of the person 
seeking access, and shoukJ eliminate the need to carry so 
multiple keys and scannable cards, and tiie need to 
memorize combinations, passwords and PINs. The 
present invention satisfies this need. 

SUMMARY OF THE INVENTION 55 

[0005] The present invention resides in apparatus, 
and a method for its use, for automatically verifying the 
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kJenfity of a person seeking access to a protected prop- 
erty. The protected property may take a variety of forms, 
such as a building, a room, an automobile or a financial 
account. For purposes of explanation, access to tiie 
protected property is said to be ot>tained through a 
"door." In many cases, if tiie property is an automobile, 
a room or a buikiing, for example, it will in fact have a 
physical door through which access is obtained. Otiier 
types of protected property will not have a pfiysical entry 
door, but may still be considered to have a "door" for 
purposes of the present invention. In accordance with 
an important aspect of the invention, a person may 
securely access a door tiiat is located right next to tiie 
user or one that is thousands of miles away. 
[0006] Briefly, and in general terms, the apparatus of 
the present invention comprises a sensor, for reading 
biometric data identifying a person seeking access to a 
protected property; storage means, for storing refer- 
ence btometric data kJenftifying a person authorized to 
have access to the protected property; a conrelator, for 
comparing tiie stored reference biometric data with tiie 
biometric data of the person seeking access and deter- 
mining whether they match; and means for securely 
communicating identity confirmation to a door that pro- 
vides access to the protected property upon receipt of 
the k:lentity confirmation. The apparatus may further 
comprise a user interface having a first switch to initiate 
operation of the apparatus in a verification mode, and a 
second switch, actuation of which places the apparatus 
in an enroll mode of operation, wherein biometric data 
from tiie sensor are stored in tiie staage means for 
sut>sequent retrieval in the verification mode of opera- 
tion. 

[0007] In the disclosed embodiments of tiie invention, 
the sensor, the storage means and the correlator are all 
contained in a portable device, which may be a fob car- 
ried by the person, or some other type of communica- 
tion device remote from the protected property. In the 
disclosed embodiments, the means for securely com- 
municating identity confirmation includes means for 
generating a numerical value from the stored reference 
biometric data; encryption logic, for enaypting the 
numerical value; and a communication interface for 
sending the encrypted numerical value to the door, 
togetiier with identrf icatk>n data for the person. The door 
provides tiie desired access to tiie protected property 
upon confirming that the transmitted numerical value is 
the same as one previously provkled by the person dur- 
ing a registration procedure. 
[0008] The apparatus of tiie invention may further 
include a receiver, for receiving an encryption key gen- 
erated by and transmitted from tiie door, and means for 
storing a private encryption key in tiie portable device. 
Further, tiie encryption logic in the device includes 
means for doubly encrypting the numerical value using 
the encryption key received from the door and the pri- 
vate enayption key. 

[0009] The apparatus of the invention may also be 
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defined as a portable fob that includes a sensor, for 
reading fingerprint data identifying a user seeking 
acxess to a protected property; a memory for storing a 
reference fingerprint image of the user during an enroll- 
ment procedure and for holding the reference image for 5 
future use; an image correlator, for comparing the 
stored reference image with a fingerprint image of the 
user seeking access, as obtained from the sensor, and 
for determining whether the two Images match; and 
means for securely communicating identity conf irmat'ion 10 
to a door that provides access to the protected property 
upon receipt of the identity confirmation. More specifi- 
cally, the means for securely communicating identity 
confirmation includes means for generating a numerical 
value from the stored reference fingerprint image; 15 
encryption logic, for encrypting the numerical value; and 
a transmitter for sending the encrypted numerical value 
to the door, together with user identification data. The 
door provides the desired access to the protected prop- 
erty upon confirming that the transmitted numerical 20 
value is the same as one previously provided by the 
user during a registration procedure. 

[001 0] in the personal identification fob as defined in 
the previous paragraph, the means for generating a 
numerical value includes means for generating a cyclic 25 
redundancy code from the stored reference fingerprint 
image. The fob further includes a receiver, for receiving 
an encryption key generated by arxj transmitted from 
the door; and means for storing a private encryption key 
in the fob. The encryption fogic in the fob includes 30 
means for doubly encrypting the numerical value using 
the encryption key received from the door and the pri- 
vate encryption key. 

[OOn 1 ] In terms of a novel method, the invention com- 
prises the steps of sensing biometric data of a user, 35 
through a sensor that is part of a personal identification 
device carried by the user; comparing the sensed bio- 
metric data with reference biometric data previously 
stored in the personal identrf ication device; determining 
whether the sensed biometric data match the reference 40 
biometric data; if there is a match, securely communi- 
cating an identity confirmation to a door that controls, 
access to the protected property; and upon confirma- 
tion of the identity of the user at the door, actuating a 
devfoe that provkies the desired access. The method 45 
further comprises the step of initiating normal operation 
of the personal identification device by means of a man- 
ual switch. 

[0012] In one embodiment of the method, there are 
optional steps of receiving a "wake-up" message from so 
the door on approaching it to seek access; and initiating 
normal operation of the personal identification device on 
receiving the "wake-up" message. The step of securely 
communicating includes generating a numerical value 
from the stored reference biometric data; encrypting the 55 
numerical value; transmitting the encrypted numerical 
value to the door; transmitting user identification data to 
the door; receiving and decrypting the enaypted 



numerical value at the doa; comparing the decrypted 
numerical value with one previously stored at the door 
by the user during a registration process, to confirm the 
identity of the user; and if the identity of the user is con- 
firmed, activating a desired function to provkle access 
to the protected property. 

[001 3] More specifically, the step of securely commu- 
nicating further conrprises the steps of generating at the 
door a random pair of door public and private encryption 
keys; transmitting the door public key to the personal 
kientifk:ation device; selecting for the personal identifi- 
cation device a pair of public and private encryption 
keys for all subsequent uses of the device; providing the 
personal identification device public key to the door as 
part of the door registration process; and storing the 
personal identification device private key secretly in the 
device. The enaypting step includes doubly encrypting 
the numerical value with the door public key and the 
personal Identification device private key The method 
further includes the step, performed at the door, of 
decrypting the doubly enaypted numerical value using 
the personal identification device public key and tiie 
door private key 

[0014] It will be appreciated from tiie foregoing that 
the present invention represents a signif advance 
in providing secure access to buiMings, vehicles, com- 
puters, or any other protected property. More particu- 
larly the invention allows multiple properties or assets 
to be accessed using a single security device, which 
reliably kJentifies its owner using biometric data, such 
as a fingerprint. Because kJentif ication is verified in a 
small portable device, communication witii multiple 
"doors" to protected property can be limited to a simple 
identity confirmation message, appropriately encrypted 
to prevent eavesdropping or reverse engineering. Other 
aspects and advantages of tfie invention will become 
apparent from tiie following more detailed desaiption, 
taken in conjunction with tiie accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0015] 

FIG. 1 is a diagram illustrating an application of tiie 
invention, wherein a portable devfoe is used to open 
a door to a protected property located nearby; 
FIG. 2 is a block diagram depicting the principal 
components of tiie present invention; 
FIG. 3 is a more detailed block diagram showing tiie 
components of a processor module shown in FIG. 
2; and 

FIG. 4 is a block diagram showing a sequence of 
signals transmitted between the portable device 
and a door to protected property. 
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DESCRIPTION OF THE PREFERRED EMBODI- 
MENTS 

[001 6] As shown in the drawings for purposes of illus- 
tration, the present Invention pertains to a system for 
automatic verification of the identity of a person seeking 
access to protected property. Traditionally, property has 
been protected by mechanical locks and keys, or by 
combination locks or electronic devices requiring the 
memorization of combinations, passwords and personal 
identification numbers (PlNs). 
[0017] In accordance with the present invention, the 
person seeking access to protected property carries a 
portable device that includes a sensor capable of 
obtaining selected biometric measurements assodated 
with the person, and communicating with a related 
device located near the "door" of the protected property. 
Preferably, the portable device also includes identity 
verification means, which conpares the biometric 
measurements obtained from the sensor with corre* 
sponding measurements stored in a reference set of 
biometric measurements that were obtained from the 
same person during an enrollment procedure per- 
formed earlier. 

[0018] FIG. 1 shows diagrammatically how the inven- 
tion is used to open a "door." indicated by reference 
numeral 10. to protected property. A person 12 seeking 
entry to the door 10 carries a small handheld device 14, 
which may take the form of a fob. The fob 1 4 communi- 
cates with a receiver 1 5 located near the door 1 0. In the 
presently preferred embodiment of the invention, the fob 
14 or similar portable device includes a biometric sen- 
sor, which, in the presently preferred embodiment of the 
invention, is a fingerprint sensor 16. It will t>e under- 
stood, however, that the principles of the invention are 
also applicable to a device that employs other biometric 
properties to identify the user 12, such as print patterns 
from other parts of the anatomy, or iris patterns of the 
eye. 

[001 9] When the user 1 2 places a finger over the sen- 
sor 16 and actuates a switch, the person's fingerprint is 
scanned and is compared with a reference fingerprint 
image stored in the fob 14, which includes a fingerprint 
conrelator for this purpose. If the comparison results in a 
match, the fob 1 4 transmits a confirming message to the 
door 10. which is opened to allow access by the user 
12. 

[0020] The nature of the confirming message sent to 
the door 10 is of oonsklerable importance, because a 
simple "OK" or "open" signal in a standardized format 
would be easy to duplicate in a "cloning" process, and 
unauthorized access would be a relatively simple mat- 
ter. The confirming message shoukJ ideally be in the 
same format for different access "doors," but should be 
encoded or encrypted in a way that prevents its duplica- 
tion and prevents reverse engineering of the fob 14. 
Details of one technique for accomplishing these goals 
are provided below. 



[0021 ] FIG. 2 shows the principal components of the 
fob 14, including the fingerprint sensor 16, a processor 
module 20. a transceiver 22 and a battery power supply 
24. The finger print sensor 16 may be of any available 

5 design, and may include a capacitive or optical sensor. 
The sensor 16 produces a binary or grayscale image of 
a portion of the user's fingerprint. For rapid processing, 
the entire image may not be used in the comparison 
process that follows, but what the sensor 16 provides is 

io a detailed "map" of the fingerprint including all of its 
ridges and valleys. The processor module 20 is shown 
in more detail in FIG. 3. 

[0022] The processor module 20 includes a processor 
26. which may be. for example a RISC (reduced instruc- 

75 tion set computer) processor, a fingerprint matcher, 
which is a feature correlator 28 in the prefenred enixxj- 
iment of the invention, a cyclic redundancy code (CRC) 
generator 30, storage 32 for a reference fingerprint 
image, encryption logic 34 and storage 36 for a private 

20 encryption key. The fob 1 4 also includes a user interface 
38 through which the user 12 initiates operation in vari- 
ous modes. Basically, tiie user interface 38 includes one 
main operating button, which may be incorporated into 
the fingerprint sensor 16, and at least one additional 

25 button to initiate operation in the enrollment mode. The 
principal function of the RISC processor 26 is to pre- 
process and enhance the fingerprint image provided by 
tiie sensor 16. Pre-processing includes "cleaning" the 
image, cropping tiie image to eliminate bad^round 

30 effects, enhancing contrast in the image, and converting 
tiie image to a vnore manageable binary form. In tiie 
enrollment mode, the pre-processed Image is stored in 
the reference image storage area 32, as Indicated by 
the broken line 40. Enrollment is performed when tiie 

35 user first acquires the fob 14, and is normally not 
repeated unless the fob is lost or damaged. For addi- 
tional security and convenience, the user may be asked 
to enroll two fingerprints, to allow for continued access if 
the user injures a finger, for example. In a verification 

40 nxxie of operation, tiie pre-processed fingerprint image 
is input to the con^elator 28. as indicated by line 43, 
where it is compared with the reference image obtained 
from storage 32 over line 44. The conelator 28 uses an 
appropriate technique to compare the images, deperxJ- 

45 ing on the level of security desired. Because speed of 
operation is an important factor, a bIt-by-bit comparison 
of the entire images is usually not performed. Rather, 
significant features of tiie reference image are identified 
and the same features are looked for in the newly 

50 scanned image. The technkiues disclosed in U.S. Pat- 
ent No. 5.067,162 may. for example, be incorporated 
into the conelator 28 for some applications of the fob 14. 
Preferably, tiie fingerprint correlator 28 should follow the 
teachings of a co-pending patent application entitied 

55 "Fingerprint Feature Correlator," by inventors Bruce W. 
Evans et al., which is hereby incorporated by reference 
into this specification. As a result of tiie comparison of 
the images, the conrelator 28 may generate a match sig- 
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nal on line 46, which activates the CRC generator 30. If 
a no-match signal is generated, as indicated on line 48, 
no further processing is performed. Optionally, the no- 
match signal on line 48 may be used to actuate an indi- 
cator on the user interface 38. 

[0023] The cyclic redundancy code (CRC) generator 
30. when actuated by a match signal on line 46, gener- 
ates a relatively long (such as 128 bits) binary number 
derived from the reference image data. The CRC pro- 
vides a single number that, for all practical purposes, 
uniquely identifies the stored reference fingerprint 
image. Even if two fingerprint Images produced the 
same CRC. which is highly unlil^ly, the security of the 
system of the Invention would not be compromised, as 
will shortly become clear. 

[0024] The CRC itself is not stored in the fob 1 4, but is 
transmitted in encrypted form to the door receiver 15. 
Before using the fob 14 for access to a particular door 
10 for the first time, the user 12 must first "register" at 
the door. The registration process is one in which an 
administrator of the door stores the user's name (or 
account number, or other identifying Information), in 
association with a public encryption key to be used in 
the user's fob 14, and the user's CRC as derived from 
the user's reference fingerprint K the door 10 provides 
access to a financial institution, for example, the user 
will register by bringing his or her fob 14 to the institu- 
tion, and transmitting the fingerprint CRC from the fob to 
the door receiver 15. In the registration mode, the door 
receiver 15 will store the user's CRC in association witii 
tiie user's name or otiier identifying information. As part 
of the registration process, the user 12 will normally be 
required to present some form of identification otiier 
than the fob 14, to prove to the institution that the user 
is, in fact, tiie one whose name or other Identifying infor- 
mation is presented and will be stored in the door 10. 
[002$] The registration process for access to more 
personal properties, such as one's automobile, is much 
simpler, but the user's name or other Identifying infor- 
mation is still stored in the door in association with tiie 
CRC and the fob public encryption key Even personal 
properties, such as automobiles, should have the capa- 
bility to store several different sets of personal informa- 
tion, for use by multiple family menft)ers, for example. 
As will now be explained in more detail, in a subsequent 
use of the fob 14 for access to a door 10 at which the 
user has regist^ed, the fob transmits a user name and 
tiie CRC corresponding to tiie stored reference image. 
Logic at the door 10 then compares the received CRC 
witii tiie one ttiat was stored for tiie named user during 
registration. If tiiere is a match, the door is opened for 
the user. 

[0026] FIG. 4 shows the communications tiiat pass 
between the fob 14 or otiier personal identification 
device and a door 10, four different forms of which are 
shown, including a car door 10.1, a building door 10.2, 
an automatic teller machine (ATM) 10.3, and a compu- 
ter 10.4. Each door 10 has an actuator 50. to perform 



some desired operation, such as opening the door, and 
each door also has a database 52 In which is stored tiie 
user name, the user fob public encryption key and the 
user CRC, for each user registered to use tiie door. 

5 [0027] When ttie user actuates ttie fob 14, tiie user 
name is transmitted to tiie door 10 in non-encrypted 
form, as indicated by line 54. Optionally, tiiis step may 
be triggered automatically as tiie user approaches the 
door 1 0. As indicated by line 56. the door 1 0 may trans- 
fix mit a ^vake-up" call tiiat is received by an approaching 
fob 14. which tiien transmits the user name. 
[0028] On receiving the user name, tiie door 10 gen- 
erates a random pair of public and private encryption 
keys to be used in the ensuing exchange of messages. 

15 Since public key encryption is used in this illustrative 
embodiment of the invention, a few words of explanation 
are called for. but it will be understood that the principles 
of public key encryption are well understood in the f ieki 
of secure communication. 

20 [0029] In public key encryption, two separate encryp- 
tion keys are used: a "public" key (potentially known to 
everyone and not kept seaet), and a "private" key 
(known to only one party in a communication from one 
party to another). The pair of public-private keys has the 

25 property tiiat, if eitiier of tfiem is used to encrypt a mes- . 
sage, the other one of the pair will decrypt the message. 
For example, party A can send a secure message to 
party B by first encrypting with B's public key Only B 
can decrypt the message, because only B has B's pri- 

30 vate key needed for deayption. Similarly, B could send 
an encrypted message to A using B's private key for 
encryption. A coukJ decrypt the message with B's puk}lic 
key, but so could anyone else, because B's public key 
may be known to ottiers. Therefore, the message trans- 

35 mitted using this ''backward" form of puWo key encryp- 
tion would not be secure. 

[0030] The illustrative embodiment of tiie present 
invention uses a doul)le encryption form of public key 
encryption. Both tiie fob 14 and the door 10 have a pub- 

40 lie-private key pair. As presentiy contemplated, ttie fob 
14 of the invention will have a "fixed" public smd private 
key pair, that Is to say the public and private keys v\/ill not 
changed from one use of tiie fob to tiie next. The fob 
public key is registered with each door 10 and it would 

45 be impractical to change it for every use. The fob private 
key is stored (at 36. FIG. 3) in the fob 1 4. preferably in a 
form in which It cannot be discerned by inspection or 
reverse engineering. The key may, ' for example, be 
encoded into tfie silicon structure of the processor mod- 

50 ule 20 in such a way tiiat it is practically indecipherable 
by any normal reverse engineering technique. Each 
door 10 generates a new public-private key pair on 
every new use of tiie door. Thus, these keys cannot be 
determined in advance of the actual message exchange 

55 v^haf6b14. 

[0031 ] Upon receipt of a user name from tiie fob 1 4, 
the door 10 to which access is sought generates a ran- 
dom pair of public-private keys, and transmits ttie public 
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key to the fob without encryption, as indicated t>y line 
58. Then, if the fob 14 has validated the user's identifi- 
cation by successfully matching the sensed fingerprint 
image with the reference image, the fob performs two 
levels off encryption on the CRC that is generated. First s 
the encryption logic 34 in the fob 14 encrypts the CRC 
using the door's public key Then the resulting encrypted 
CRC is doubly encrypted using the fob's private key 
The dout)ly encrypted CRC is transmitted to the door 
10, where it is decrypted using the fob's public key and w 
then using the door's private key to recover the CRC. 
The door 10 then compares this CRC with the CRC in 
its database 52 associated with the user name seeking 
access to the door. If there is a match, the door 10 sig- 
nals its actuator 50 to open the door or to perform some is 
other desired operation. 

[0032] It will be appredated from this description that 
the invention provides an extremely secure technique 
for accessing protected property. The fob 14 is designed 
such that is cannot initiate a door opening operation 20 
without first matching the fingerprint of the user with the 
stored reference image. Even if a fob thief successfully 
re-enrolls his own fingerprint into the fob. the CRCs 
stored In each of the doors where the rightful user is 
registered would prevent operation of the doors by the 25 
thief. 

[0033] Someone attempting to fabricate a "cloned" fob 
would not have the fob private key, so the door would be 
unable to decrypt messages from the cloned fob. If 
someone were to eavesdrop on a fob transmission and 30 
try to emulate this message In a subsequent attempt to 
open the same door, this approach would be foiled by 
the door's use of a different set of keys for each transac- 
tion. Therefae, the fob's encrypted message to any 
door will be different on each occasion. 3S 
[0034] An additional level of security may be provided 
by storing the CRC at the door 10 in an Internally 
encrypted fbnm, to prevent theft of CRCs from doors. 
[0035] It will be understood from the foregoing that the 
present invention represents a significant advance in 40 
the field of security devices for limiting access to prop- 
erty. In particular, the invention allows a person to obtain 
access to marry different properties using a single hand- 
held device that verifies its owner's Identity very reliably, 
using unique biometric parameters, such as those 45 
found in a fingerprint. Moreover, the device of the inven- 
tion is highly resistant to reverse engineering, "cloning"* 
and other techniques for tampering to obtain access to 
the protected properties. It will also be appreciated that, 
although a specific embodiment of the Invention has so 
been described in detail for purposes of Illustration, var- 
ious nfKxJIf ications may be made without departing from 
the spirit and scope of tiie invention, which should not 
be limited except as by the appended claims. 

55 

Claims 

1 . Apparatus tor automatically verifying tiie klentity of 



a person seeking access to a protected property, 
tiie apparatus comprising: 

a sensor, for reading biometric data identifying 
a person seeking access to a protected prop- 
erty; 

storage means, fbr storing reference biometric 
data identifying a person authorized to have 
access to the protected property; 
a correlator, for comparing the stored reference 
biometric data witii the biometric data of the 
person seeking access and determining 
whether they matoh; and 
means for securely communicating identity 
confirmation to a door that provides access to 
the protected property upon receipt of the iden- 
tity confirmation. 

2. Apparatos as defined in daim 1 , and further com- 
prising: 

a user interface having a first switch to Initiate 
operation of the apparatus in a verification 
mode, and a second switch, actuation of which 
places the apparatus In an enroll nrxxJe of oper- 
ation, wherein biometric data from the sensor 
are stored in the storage means for subsequent 
retrieval in tiie verification mode of operation; 
and/or wherein: 

the sensor, the storage means and tiie correla- 
tor are all contained in a portable device. 

3. Apparatus as defined in daim 2, wherein: 

the sensor, the storage means and the correla- 
tor are all contained in a portable fob carried by 
the person; and/or wherein: 
the sensor, the storage means and the correla- 
tor are all contained in a communication device 
remote from the protected property; and/or 
wherein the means for securely communicating 
identity confirmation includes: 
means for generating a numerical value from 
the stored reference biometnc data; 
encryption logic, for encrypting the numerical 
value; and 

a communication interface for sending the 
encrypted numerical value to the door, together 
with identification data for the person; 
wherein the door provides tiie desired access 
to the protected property upon confirming tiiat 
the transmitted numerical value is the same as 
one previously provided by the person during a 
registration procedure; and 
said apparatus preferably further comprising: 
a receiver, for receiving an encryption key gen- 
erated by and transmitted from the door; and 
means for storing a private enayption key in 
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the portable device; 

and wherein the encryption logic includes 
means for doubly encrypting the numerical 
value using the encryption key received from 
the door and the private encryption key. 5 

4. A personal identification fob for automatically verify- 
ing the identity of a user seeking to use the fob for 
access to a protected property, the fob comprising: 

10 

a sensor, for reading fingerprint data identifying 
a user seeking access to a protected property; 
a memory for storing a reference fingerprint 
image of the user during an enrollment proce- 
dure and for holding the reference image for is 
future use; 

an image conrelator, for comparing the stored 
reference image with a fingerprint image of the 
user seeking access, as obtained from the sen- 
sor, and for determining whether the two 20 
images match; and 

means for securely communinating identity 
confirmation to a door that provides access to 
the protected property upon receipt of the iden- 
tity confirmation. 25 

5. A personal identification fob as defined in claim 4, 
wherein the means for securely communicating 
identity confirmation includes: 

J 30 

means for generating a numerical value from 

the stored reference fingerprint image; 
encryption logic, for encrypting the numerical 
value; and 

a transmitter for sending the encrypted numer* 3S 
ical value to the door, together witii user kienti- 
fk^tiondata; 

wherein the door provkies the desired access 
to the protected property upon confirming that 
the transmitted numerical value is the same as 40 
one previously provided by the user during a 
registratk>n procedure; and 
wherein preferably the means for generating a 
numerical Vialue includes means for generating 
a cyclic redundancy code from the stored refer- as 
ence fingerprint image; and/or 
said personal identification fob preferably fur- 
ther comprises: 

a receiver, for receiving an encryption key gen- 
erated by and transmitted from the door; and so 
means for storing a private encryption key in 
the fob; 

and wherein the encryption logic includes 
means for doubly encrypting the numerical 
value using the encryption key received from ss 
the door and the private encryption key. 

6. A method for automatically verifying the kfentity of a 



user seeking access to a propertiy protected by a 
door, the method comprising the steps of: 

sensing biometric data of a user, through a 
sensor that is part of a personal kientification 
devtee canried by tiie user; 
comparing the sensed biometric data with ref- 
erence biometric data previously stored in the 
personal kientification device; 
determining whether the sensed biometric data 
match the reference biometrto data; 
if there is a match, securely communicating an 
identity confirmation to a door that controls 
access to the protected property; and 
upon confirmation of tiie identity of the user at 
the door, actuating a d^ice that provUes the 
desired access. 

7. A metiiod as defined in claim 6, and further com- 
prising the step of: 

initiating normal operation of tiie personal iden- 
tification device by means of a manual switch; 
and/or further comprising tiie steps of: 
receiving a ^vake-up" message from the door . 
on approaching it to seek access: and 
initiating normal operation of the personal kJen- 
tification device on receiving tiie "wake-up" 
message; and/or 

wherein the step of securely communicating 
includes: 

generating a numerical value from the stored 
reference biometric data: 
encrypting tiie numerical value; 
transmitting the encrypted numerical value to 
the door; 

transmitting user identif icatk)n data to tiie door; 
receiving and decrypting the encrypted numer- 
ical value, at tiie door; 

comparing tiie deaypted numerical value witii 
one previously stored at the door by the user 
during a registration process, to confirm tiie 
identity of the user; and 
if tiie Mentity of the user is confirmed, activating 
a desired function to provide access to the pro- 
tected property; and 

wherein the step of securely communicating 
preferably further comprises: 
generating at the door a random pair of door 
public and private encryption keys; 
transmitting the door public tey to the personed 
identification device; 

selecting for the personal identification device a 
pair of put)lic an private encryption keys for all 
subsequent uses of the device; 
provkiing tiie personal kientification device 
public key to the door as part of tiie door regis- 
tration process; and 
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storing the personal identification device pri- 
vate key secretly in the device; 
and wherein the encrpyting step Includes dou- 
bly encrypting the numerical value with the 
door public key and the personal kientif 'cation 5 
device private key; and 

wherein door preferably performs the additional 
st^ of: decrypting the doubly encrypted 
numerical value using the personal identifica- 
tion device public key and the door private key. 10 

8. A method for a user to obtain access to property 
protected by a normally locked door, the method 
including the steps of: 

IS 

placing a finger on a fingerprint sensor in a fob 
while approaching a door; 
actuating tiie fob to sense and record a finger- 
print off the user; 

companing the sensed fingerprint with refer- 20 
ence fingerprint data previously stored in the 
fob; 

upon a successful comparison, transmitting an 
kJentity confirmation from the fob to the door 
that protects tiie property; and 25 
unlocking the door upon receipt of an identity 
confirmation. 

9. A metiiod as defined in claim 8, wherein the step of 
transmitting and klentity confirmation includes: so 

encrypting the identity confirmation in the fob; 
and 

deaypting the kf entity confirmation at the door. 

35 

1 0. A method as defined in claim 9, wherein: 

the step of encrypting includes doubly encrypt- 
ing; and 

tiie step of deaypting includes doubly deaypt- 40 
ing; and 

wherein the step of doubly encrypting prefera- 
bly includes first encrypting tiie identity confir- 
mation using a public door enayption key 
generated in and received from ttie door and 45 
then furtiier encrypting using a private fob 
enayption key stored in tiie fob; and 
the step of doubly decrypting includes first 
deaypting using a public fob encryption key 
provided by the user on prior registration at the so 
door and then decrypting using a private door 
enayption key generated in the door. 
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PROCESSOR MODULE. 
INCLUDING: 

- PROCESSOR (E.G. RISC). 

- CORRELATOR. 

- REF. IMAGE STORAGE. 

- CYCLIC REDUNDANCY 

CODE GENERATOR, 

- PRIVATE KEY STORAGE, 

- ENCRYPTION LOGIC. 



WIRELESS TRANSCEIVER 

(OR INTERFACE TO 
OTHER COMMUNICATION 
DEVICE) 



r 




FINGERPRINT 




SENSOR 




(CAPACITIVE. 




OPTICAL OR 




OTHER TYPE) 









POWER 
SUPPLY 

(BATTERY) 
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